#########################################
# Generic Firejail AppArmor profile
#########################################

##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}

profile firejail-default flags=(attach_disconnected,mediate_deleted) {

##########
# D-Bus is a huge security hole. Uncomment those lines if you need D-Bus
# functionality.
##########
##include <abstractions/dbus-strict>
##include <abstractions/dbus-session-strict>
#dbus,

##########
# With ptrace it is possible to inspect and hijack running programs. Usually this
# is needed only for debugging. To allow ptrace, uncomment the following line
##########
#ptrace,

##########
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes
##########
/ r,
/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,
/run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk,

/{,var/}run/ r,
/{,var/}run/** r,
/run/firejail/mnt/oroot/{,var/}run/ r,
/run/firejail/mnt/oroot/{,var/}run/** r,

owner /{,var/}run/user/[0-9]*/** rw,
owner /{,var/}run/user/[0-9]*/*.slave-socket rwl,
owner /{,var/}run/user/[0-9]*/orcexec.* rwkm,
owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/** rw,
owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/*.slave-socket rwl,
owner /run/firejail/mnt/oroot/{,var/}run/user/[0-9]*/orcexec.* rwkm,

/{,var/}run/firejail/mnt/fslogger r,
/{,var/}run/firejail/appimage r,
/{,var/}run/firejail/appimage/** r,
/{,var/}run/firejail/appimage/** ix,
/run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r,
/run/firejail/mnt/oroot/{,var/}run/firejail/appimage r,
/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r,
/run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix,

/{run,dev}/shm/ r,
owner /{run,dev}/shm/** rmwk,
/run/firejail/mnt/oroot/{run,dev}/shm/ r,
owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk,

# Allow logging Firejail blacklist violations to journal
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,

# Needed for wine
/{,var/}run/firejail/profile/@{PID} w,

##########
# Allow /proc and /sys read-only access.
# Blacklisting is controlled from userspace Firejail.
##########
/proc/ r,
/proc/** r,
owner /proc/[0-9]*/{uid_map,gid_map,setgroups} w,
# Uncomment to silence all denied write warnings
#deny /proc/** w,
deny /proc/@{PID}/oom_adj w,
deny /proc/@{PID}/oom_score_adj w,

/sys/ r,
/sys/** r,
# Uncomment to silence all denied write warnings
#deny /sys/** w,

##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, uncomment /home line.
##########
/lib/** ix,
/lib64/** ix,
/bin/** ix,
/sbin/** ix,
/usr/bin/** ix,
/usr/sbin/** ix,
/usr/local/** ix,
/usr/lib/** ix,
/usr/games/** ix,
/opt/ r,
/opt/** r,
/opt/** ix,
#/home/** ix,
/run/firejail/mnt/oroot/lib/** ix,
/run/firejail/mnt/oroot/lib64/** ix,
/run/firejail/mnt/oroot/bin/** ix,
/run/firejail/mnt/oroot/sbin/** ix,
/run/firejail/mnt/oroot/usr/bin/** ix,
/run/firejail/mnt/oroot/usr/sbin/** ix,
/run/firejail/mnt/oroot/usr/local/** ix,
/run/firejail/mnt/oroot/usr/lib/** ix,
/run/firejail/mnt/oroot/usr/games/** ix,
/run/firejail/mnt/oroot/opt/ r,
/run/firejail/mnt/oroot/opt/** r,
/run/firejail/mnt/oroot/opt/** ix,

##########
# Allow access to cups printing socket.
##########
/run/cups/cups.sock w,

##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,

##########
# There is no equivalent in Firejail for filtering signals.
##########
signal,

##########
# We let Firejail deal with capabilities, but ensure that
# some AppArmor related capabilities will not be available.
##########
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability setpcap,
capability linux_immutable,
capability net_bind_service,
capability net_broadcast,
capability net_admin,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability sys_module,
capability sys_rawio,
capability sys_chroot,
capability sys_ptrace,
capability sys_pacct,
capability sys_admin,
capability sys_boot,
capability sys_nice,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
#capability audit_write,
#capability audit_control,
capability setfcap,
#capability mac_override,
#capability mac_admin,

##########
# We let Firejail deal with mount/umount functionality.
##########
mount,
remount,
umount,
pivot_root,

# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-local>
}
